Django security releases issued: 3.0.1, 2.2.9, and 1.11.27
In accordance with our security release policy, the Django team is issuing Django 3.0.1, Django 2.2.9 and Django 1.11.27. These releases address the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.
These releases are also issued outside of our normal bugfix/release schedule, and did not have the usual one-week prenotification period. By the time the Django security team was made aware of this security issue, its mechanics were already public knowledge, and it was judged best to issue new releases of Django immediately.
CVE-2019-19844: Potential account hijack via password reset form
Django's password-reset form uses a case-insensitive query to retrieve accounts matching the email address requesting the password reset. Because this typically involves explicit or implicit case transformations, an attacker who knows the email address associated with a user account can craft an email address which is distinct from the address associated with that account, but which -- due to the behavior of Unicode case transformations -- ceases to be distinct after case transformation, or which will otherwise compare equal given database case-transformation or collation behavior. In such a situation, the attacker can receive a valid password-reset token for the user account.
To resolve this, two changes were made in Django:
- After retrieving a list of potentially-matching accounts from the database, Django's password reset functionality now also checks the email address for equivalence in Python, using the recommended identifier-comparison process from Unicode Technical Report 36, section 2.11.2(B)(2).
- When generating password-reset emails, Django now sends to the email address retrieved from the database, rather than the email address submitted in the password-reset request form.
This issue was brought to the attention of the Django security team by Simon Charette, who became aware of it after reading a public disclosure of a similar issue which affected GitHub.
Affected supported versions
- Django master branch
- Django 3.0
- Django 2.2
- Django 1.11
Resolution
Patches to resolve the issue have been applied to Django's master branch and the 3.0, 2.2, and 1.11 release branches. The patches may be obtained from the following changesets:
- On the master branch
- On the 3.0 release branch
- On the 2.2 release branch
- On the 1.11 release branch
The following releases have been issued:
- Django 3.0.1 (download Django 3.0.1 | 3.0.1 checksums)
- Django 2.2.9 (download Django 2.2.9 | 2.2.9 checksums)
- Django 1.11.27 (download Django 1.11.27 | 1.11.27 checksums)
The PGP key ID used for these releases is Mariusz Felisiak: 2EF56372BA48CD1B.
General notes regarding security reporting
As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.
As noted above, because the underlying cause of this issue was already publicly known, these releases were issued without the usual prenotification process.